Business-Management/changelog/2026-04-12_security-validation.md

# 2026-04-12 — Test user, password validation, security hook

**Timestamp:** 2026-04-12T14:10:00

## Summary

Added dev seed user, password strength validation, and a Docker-based pre-commit security check hook.

## Files Added

- `backend/scripts/seed.py` — async script that creates `test@example.com / Test123!` if it doesn't exist; safe to run multiple times
- `backend/scripts/start_dev.sh` — dev container entrypoint: runs `alembic upgrade head` → seed → uvicorn --reload
- `scripts/security_check.py` — security scanner: checks staged files for hardcoded secrets, dangerous patterns (eval/exec/shell=True/pickle), weak crypto (MD5/SHA1/DES), SQL injection risk, debug flags; also runs `bandit` on Python files
- `.githooks/pre-commit` — git hook that runs `security_check.py` inside `python:3.12-slim` Docker container; activated via `git config core.hooksPath .githooks`
- `changelog/2026-04-12_security-validation.md` — this file

## Files Modified

- `backend/app/schemas/user.py` — added `_validate_password` with: min 8 chars, uppercase, lowercase, digit, special char, word-boundary check against ~40 forbidden common words; `UserCreate.password_strength` field validator
- `docker-compose.dev.yml` — backend command changed from bare `uvicorn` to `sh scripts/start_dev.sh`
- `CLAUDE.md` — added Security hook section documenting what the hook checks and how to activate it on new clones
- `README.md` — updated Current State to mention test user, password policy, security hook